The IP Phone Personal Address Book (PAB) Synchronizer feature in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.1, 4.2 before 4.2(3)SR4b, 4.3 before 4.3(2)SR1b, 5.x before 5.1(3e), 6.x before 6.1(3), and 7.0 before 7.0(2) sends privileged directory-service account credentials to the client in cleartext, which allows remote attackers to modify the CUCM configuration and perform other privileged actions by intercepting these credentials, and then using them in requests unrelated to the intended synchronization task, as demonstrated by (1) DC Directory account credentials in CUCM 4.x and (2) TabSyncSysUser account credentials in CUCM 5.x through 7.x.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: cisco
Published: 2009-03-12T15:00:00
Updated: 2024-08-07T04:40:05.122Z
Reserved: 2009-02-18T00:00:00
Link: CVE-2009-0632
Vulnrichment
No data.
NVD
Status : Modified
Published: 2009-03-12T15:20:49.750
Modified: 2024-11-21T01:00:34.007
Link: CVE-2009-0632
Redhat
No data.